Google in Dutch: Privacy changes BREAK data law, says Netherlands

Google broke data protection law in the Netherlands when the ad giant tweaked its privacy policy in March 2012, says the country's privacy watchdog.

The Dutch Data Protection Authority said on Thursday that Google had breached the country's rules because it had failed to adequately inform all its users in advance about the changes it was making to its service.

"Google spins an invisible web of our personal data, without our consent. And that is forbidden by law", said Dutch DPA chairman Jacob Kohnstamm.

The regulator said it had invited the company to a hearing. It will only decide on any enforcement action after discussions have taken place with Google.

It added:

​With its services, Google reaches almost every person in the Netherlands with internet access. It is almost impossible not to use Google services on the internet. Many internet users use the search engine Search, the video service YouTube or the webmail Gmail.

In the Report, three types of users of Google services are distinguished: people with a Google account, people without a Google account that use the open services of Google such as Search and YouTube, and people that do not use Google. Google also collects data about this last group of users, when they for example visit one of the more than 2 million websites worldwide with Google advertising cookies.

The DPA said that, during its seven-month probe, the watchdog determined that Google burrowed deeply into the personal data of Dutch netizens by knitting together services across the web for the purposes of targeted advertising.

"Some of these data are of a sensitive nature, such as payment information, location data and information on surfing behaviour across multiple websites. Data about search queries, location data and videos watched can be combined, while the different services serve entirely different purposes from the point of view of users," it said.

The watchdog concluded that Google had not sought the consent of users before cutting and shutting its privacy policies together in order to combine personal data across its massive online empire.

"The consent, required by law, for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service," the Dutch DPA concluded.